Solaris hole opening way for hackers

Online vandals are using a two-month-old security hole in Sun Microsystems' Solaris and other Unix OSes to break into servers on the Internet.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
2 min read
Online vandals are using a two-month-old security hole in Sun Microsystems' Solaris and other Unix operating systems to break into servers on the Internet, a security expert said Tuesday.

Researchers witnessed the attack when one intruder broke into a Solaris server under intense observation as part of the Honeynet Project, an initiative to develop ways to turn spare computers into digital fly traps to study and document actual Internet attacks.

"One of our honey pots got whacked with it," said Lance Spitzner, project manager for the Honeynet Project. "As far as we know, it was the first time we saw (this flaw) used in the wild."

The flaw, commonly referred to as a "buffer overflow," allows a specially crafted packet of Internet data to cause a computer to give an online vandal full access to its capabilities. Details of the software hole, which affects Solaris, IBM's AIX, HP-UX and other Unix operating systems, were published in November.

A system component used to remotely run applications--known as the Common Desktop Environment subprocess control service--had the bug. Linux, which typically does not use the flawed component, seems to be unaffected. In the two months since details of the flaw were released, vendors have published patches to fix it.

In this particular instance, an attacker found the weakness in an unpatched Solaris server, Spitzner said.

"The bad guy accessed our system, downloaded a back door, and made it so he could log in anytime he wanted," he said. "Then, he logged in a couple days later and loaded a denial-of-service tool to attack several online chat servers."

Denial-of-service, or DoS, attacks attempt to overload or crash a computer, thus making it inaccessible.

The Computer Emergency Response Team, or CERT, Coordination Center, an online security watchdog, first reported the vulnerability last November.

On Monday, the group posted an advisory about the use of the flaw, adding that administrators should install the patch from Sun, limit access to the vulnerable service, or disable the service.

Solaris is Sun's proprietary variant of the Unix operating system. Last October, the FBI published a list of flaws that affected major operating systems, including Solaris.